web美团外卖mtgsig

声明

本文章中所有内容仅供学习交流使用，不用于其他任何目的，抓包内容、敏感网址、数据接口等均已做脱敏处理，严禁用于商业用途和非法用途，否则由此产生的一切后果均与作者无关！

分析图

启动流程在这里，发起xml进去加密地方。根据true/false生成在url后面还是请求头里面。

加密文件

 大部分关键代码

!(() => {
    "use strict";
    const $toString = Function.toString;
    const myFunction_toString_symbol = Symbol('('.concat('', ')_', (Math.random() + '').toString(36)));
    const myToString = function () {
        return typeof this == 'function' && this[myFunction_toString_symbol] || $toString.call(this);
    };

    function set_native(func, key, value) {
        Object.defineProperty(func, key, {
            "enumerable": false,
            "configurable": true,
            "writable": true,
            "value": value
        })
    };
    delete Function.prototype['toString']; //删除原型链上的toString
    set_native(Function.prototype, "toString", myToString); //自己定义个getter方法
    set_native(Function.prototype.toString, myFunction_toString_symbol, "function toString() { [native code] }"); //套个娃 保护一下我们定义的toString 否则就暴露了
    this.func_set_natvie = (func) => {
        set_native(func, myFunction_toString_symbol, `function ${myFunction_toString_symbol, func.name || ''}() { [native code] }`);
    }; //导出函数到globalThis
}).call(this);
const XMLHttpRequest = require('xhr2');
Window = function Window() {
    throw new TypeError('Illegal constructor')
};
this.func_set_natvie(Window);
Window.prototype.PERSISTENT = 1
Window.prototype.TEMPORARY = 0
Navigator = function Navigator() {
    throw new TypeError('Illegal constructor')
};
this.func_set_natvie(Navigator);
window = global
Object.defineProperties(Window.prototype, {
    [Symbol.toStringTag]: {
        value: 'Window',
        configurable: true
    }
})
Object.defineProperties(Navigator.prototype, {
    [Symbol.toStringTag]: {
        value: 'Navigator',
        configurable: true
    }
})
window.__proto__ = Window.prototype
window.DataView = function DataView() {
    console.log('window.DataView', arguments)
};
this.func_set_natvie(DataView);
window.Notification = function Notification() {
    console.log('window.Notification', arguments)
};
this.func_set_natvie(Notification);
location ={
  
}
screen = {}
screen.width = 0
screen.height = 0
screen.availHeight = 0
screen.availWidth = 0
screen.orientation = {
 
}
screen.pixelDepth = 24
screen.colorDepth = 24
window.XMLHttpRequest = function XMLHttpRequest() {
    console.log('window.XMLHttpRequest'.arguments)
    return {
        open: function open() {
        },
        send: function send() {
        }
    }
}
window.MouseEvent = function MouseEvent() {
    console.log('window.MouseEvent'.arguments)
}
window.scroll = function scroll() {
    console.log('window.scroll'.arguments)
}
window.scrollBy = function scrollBy() {
    console.log('window.scrollBy'.arguments)
}
window.scrollBy = function scrollBy() {
    console.log('window.scrollBy'.arguments)
}
window.WebGLRenderingContext = function WebGLRenderingContext() {
    console.log('window.WebGLRenderingContext'.arguments)
}
window.H5guardCount = 1
window.wPaths = []
window.xhrHook = true
window.fetchHook = true
window.xhrHooked = true
window.xhrHook = true
window.xhrHooked = true
window.onbeforeinstallprompt = null
window.onhashchange = null
window.ondevicemotion = null
window.ondeviceorientation = null
window.ondeviceorientationabsolute = null
setInterval = function () {
}
setTimeout = function () {
}
Navigator.toString = function toString() {
    return 'function Navigator() { [native code] }'
};
this.func_set_natvie(Navigator.toString);
navigator = {}
navigator.__proto__ = Navigator.prototype
window.self = window
window.top = window
window.localStorage ={}
window.document = {}
document.createEvent = function createEvent(type) {
    console.log('document.createEvent', arguments)
}
document.cookie = {}
document.documentElement = {
    appendChild: function appendChild() {
        console.log('appendChild')
    },
    removeChild: function removeChild() {
        console.log('removeChild')
    },
    clientHeight: 760,
    clientWidth: 150,
    scrollTop: function scrollTop() {
    }

}
window.sessionStorage = {}
window.localStorage.clear = function clear() {
    var temp = Object.keys(this)
    for (var i = 0; i < temp.length; i++) {
        delete this[temp[i]];
    }
};
window.sessionStorage.clear = function clear() {
    var temp = Object.keys(this)
    for (var i = 0; i < temp.length; i++) {
        delete this[temp[i]];
    }
};
window.localStorage.getItem = function getItem(key) {
    return this[key]
};
window.sessionStorage.getItem = function getItem(key) {
    return this[key]
};
window.localStorage.key = function key(index) {
    return Object.keys(this)[index]
};
window.sessionStorage.key = function key(index) {
    return Object.keys(this)[index]
};
window.localStorage.removeItem = function removeItem(key) {
    delete this[key]
};
window.sessionStorage.removeItem = function removeItem(key) {
    delete this[key]
};
window.localStorage.setItem = function setItem(key, value) {
    this[key] = value
};
window.sessionStorage.setItem = function setItem(key, value) {
    this[key] = value
};
window.fetchHooked = true
window.wDomains =[
]
window.name = ''
window.indexedDB = {}
window._phantom = undefined
window.phantom = undefined
window.callPhantom = undefined

navigator.plugins = [{name: "PDF Viewer"}, {name: "Chrome PDF Viewer"}, {name: "Chromium PDF Viewer"},
    {name: "Microsoft Edge PDF Viewer"}, {name: "WebKit built-in PDF"}]
oph = Object.prototype.hasOwnProperty
Object.prototype.hasOwnProperty = function hasOwnProperty(val) {
    if (val === 'webdriver') {
        return false
    }
    return oph.apply(this, arguments)

document.body = {
    appendChild: function appendChild() {
    },
    removeChild: function removeChild() {
    },
    scrollTop: 0
}
window.AudioContext = function AudioContext() {
    console.log('window.AudioContext', arguments)
}
window.status = ''
window.frameElement = null
window.onsearch = null
window.external = {}
window.styleMedia = {type: "screen"}
window.isSecureContext = true
window.getSelection = function getSelection() {
    return {
        anchorOffset: 0,
        baseOffset: 0,
        extentOffset: 0,
        focusOffset: 0,
        isCollapsed: true,
        rangeCount: 0,
        type: "None",
    }
}
window.find = function find() {
    console.log("window.find", arguments)
}

window.dispatchEvent = function dispatchEvent() {
    console.log("window.dispatchEvent ", arguments)
}
window.postMessage = function postMessage() {
    console.log("window.postMessage", arguments)
}
window.removeEventListener = function removeEventListener() {
    console.log("window.removeEventListener", arguments)
}
document.removeEventListener = function removeEventListener(val1, val2) {
    console.log("document.removeEventListener", arguments)
}
window.addEventListener = function addEventListener(val1, val2, val3) {
    console.log("window.addEventListener", arguments)
    // val2()
}
window.PointerEvent = function PointerEvent() {
    console.log('windo.wPointerEvent', arguments)
}
document.addEventListener = function addEventListener(val1, val2, val3) {
 
}
window.createImageBitmap = function createImageBitmap() {
    console.log("window.createImageBitmap", arguments)
}
navigator.sendBeacon = function sendBeacon() {
    console.log('navigator.sendBeacon', arguments)
}
navigator.javaEnabled = function javaEnabled() {
    console.log('navigator.javaEnabled', arguments)
}
navigator.vibrate = function vibrate() {
    console.log('navigator.vibrate', arguments)
}
navigator.userActivation = {
    hasBeenActive: true,
    isActive: false
}
navigator.mediaSession = {
    playbackState: "none"
}
navigator.clipboard = {}
navigator.credentials = {}
navigator.keyboard = {}
navigator.locks = {}
navigator.mediaCapabilities = {}
navigator.onLine = true
navigator.serviceWorker = {}
navigator.storage = {}
navigator.presentation = {}
navigator.bluetooth = {}
navigator.usb = {}

结果

总结

1.出于安全考虑,本章未提供完整流程,调试环节省略较多,只提供大致思路,具体细节要你自己还原,相信你也能调试出来。